Main features:
- password-based SSH authentication with OpenSSH with the password stored in KeepPass (
.kdbx
) files.
Other features:
- can serve password from multiple KeePass files;
- automatically reloads the
.kdbx
file on change; - support for socket-activation;
- support for exiting after some idle duration;
- support for KeePass field references;
- some support for bastions.
Running the MimiKeePass daemon:
mimikeepass serve ./secrets.kdbx
This will prompt for the KeePass file(s) password(s) and will provide passwords to client applications.
mimikeepass password --url http://www.example.com --username john
In your KeePass file, add an entry for your SSH server:
- URL of the form
ssh://server1.example.com
; - login
johndoe
; - password.
The OpenSSH integration supports password-based authentication.
You might need to disable keyboard interactive authentication
for this server in you OpenSSH client configuration (~/.ssh/ssh_config
):
Host server1.example.com
User johndoe
PreferredAuthentications publickey,password
Run OpenSSH with MimiKeePass integration:
miikeepass-run ssh server1.example.com
If you have a bestion server which accepts connections of the form:
Host bastion.example.com
User johndoe@idp.example.com
PreferredAuthentications publickey,password
Host server1.example.com
Hostname bastion.example.com
User root@XXXX@server1:SSH:XXXX:johndoe@idp.example.com
PreferredAuthentications publickey,password
Host server1.example.com
Hostname bastion.example.com
User root@XXXX@server2:SSH:XXXX:johndoe@idp.example.com
PreferredAuthentications publickey,password
You can use a shared KeePass entry:
- URL of the form
ssh://bastion.example.com
; - login
johndoe@idp.example.com
; - password.
CLI interface is probably going to be quite stable.
Python API is not stable (for now).
Protocol (varlink) interface is not stable (for now).
- logging
- support for OpenVPN (using the management interface)
- notifications using OSC 777, OSC 99, OSC 9
- notifications using BEL
- FreeDesktop notifications
- optional integration with FreeDesktop Secret Service?
Why using password based authentication when you can use public key authentication?
If you can use public key authentication authentication, you probably should. However sometimes, you need to connect to SSH servers which do not support public key authentication for some reason.
Why not using Secret Service (possibly with KeePassXC support for the Secret Service interface)?
You can only have a single Secret Service daemon running in your session at the same time. However, you might want to have some secrets stored in your system Secret Service and other password stored in a KeePass file. Using a dedicated daemon which is not using the Secret Service API makes it possible to run a Mimikeepass independently of your system Secret Service daemon.
You can even launch several independant MimiKeePass daemons (using different sockets).
This is achieved using the MIMIKEEPASS_SOCKET
environment variable.